[RADIATOR] <AuthBy LDAP2> => AD => Group Nesting Issues

W.Siebert at t-systems.com W.Siebert at t-systems.com
Thu May 26 13:38:14 CDT 2011 

Hello,

the problem <AuthBy LDAP2> => AD => Group Nesting will be over and over again addressed in this forum but not sufficiently resolved.
We have evermore requirements in our projects to authenticate users in nested LDAP group environments.
I found a perl script from Shawn Poulson, http://www.explodingcoder.com/cms/content/how-query-active-directory-security-group-membership

and adjusted it to my relevance. Script is tested directly, very usable.

Shawn Poulson wrote: "A common task a developer may encounter is the need to find out what security group a user is a member of. This is critical information for an app to utilize a role-based authorization mechanism in web apps, client/server apps, login scripts, etc. When querying LDAP, this is as easy as enumerating the 'memberOf' attribute of the user account, right?

Not quite. The memberOf attribute lists distinguished names of all groups the user is an immediate member of. Additionally, memberOf will list both distribution and security groups as well as disabled groups, so it's important to check for these conditions. Most importantly, this does not include nested group membership. For example, say the user is a member of "IT Operations", and that group is a member of "IT Department". If we grant authorization to "IT Department", wouldn't we expect the user to inherit that right?

Ok, so we scan for the groups' parents recursively, right? Sure, but there's a much better way.

User accounts have a 'tokenGroups' attribute that contains the SIDs of all member enabled security groups AND their parents. Knowing the SID of a group, it is very fast to look it up from this attribute to check membership, taking only one query for the tokenGroups and another for each group SID lookup."




My problem is to convert this script to a PostSearchHook.

1. How can I avoid the second LDAP Login/Connection? <AuthBy LDAP2> is allready logged in and connected, how can I get to Net::LDAP level?

$_[4] is Net::LDAP::Entry and caused a error:

Thu May 26 17:18:28 2011: ERR: Error in PostSearchHook(): Can't locate object method "root_dse" via package "Net::LDAP::Entry" at (eval 36) line 43.


2. How can I deliver the LDAP group name ($grp2chk in my script) from outside of hook? Can I use arguments in the hook directive? Something like this:

PostSearchHook() ("ASA_FULL", "ARGUMENT02");


The script:

#!/bin/perl
use Net::LDAP;
my ($ldap_server, $ldap_username, $ldap_password) = ('10.11.11.112', 'radiator', 'Makaka77');
print "Connecting to LDAP...";     # Login to LDAP
my $ldap = Net::LDAP->new($ldap_server, async => 0) or die $@;
print "Binding... ";
$_ = $ldap->bind($ldap_username, password => $ldap_password) or die $@;
print $_->error_text();
#Variablen###############################
$usr2chk = 'aduser05';
$grp2chk = 'ASA_FULL';
#$grp2chk = 'ASA_ANLS';
$grp2chk = 'ADMINS';
#Variablen###############################
my $userDN = GetDNByID($ldap, $usr2chk);
print "User DN: $userDN\n";
# Quick check if user is a member of a group
$check_OK = IsMemberOf($ldap, $userDN, GetDNByID($ldap, $grp2chk));
  if (IsMemberOf($ldap, $userDN, GetDNByID($ldap, $grp2chk))) {
  print "User is a member of $grp2chk: $check_OK\n";

  AddToReply            tacacsgroup = XXX

  }
  else {
  print "User is not a member of $grp2chk: $check_OK\n";
  }
$ldap->unbind;
exit;

###Sub's###############################
# Is DN a member of security group?  Usage: <bool> = IsMemberOf(<DN of object>, <DN of group>)
sub IsMemberOf($$$) {
  my ($ldap, $objectDN, $groupDN) = @_;
  return if ($groupDN eq "");
  my $groupSid = GetSidByDN($ldap, $groupDN);
  return if ($groupSid eq "");
  my @matches = grep { $_ eq $groupSid } GetTokenGroups($ldap, $objectDN);
  @matches > 0;
}
# Get object's SID by DN , Usage: <SID> = GetSidByDN(<LDAP ref>, <DN>)
sub GetSidByDN($$) {
  my ($ldap, $objectDN) = @_;
  my $results = $ldap->search( base => $objectDN, scope => 'base',
  filter => '(objectCategory=*)',attrs => ['objectSid'] );
    if ($results->count) {
    return $results->entry(0)->get_value('objectSid');
    }
}
# Gets tokenGroups attribute from the provided DN, Usage: <Array of tokens> = GetTokenGroups(<LDAP ref>, <DN of object>)
sub GetTokenGroups($$) {
  my ($ldap, $objectDN) = @_;
  my $results = $ldap->search( base => $objectDN, scope => 'base', filter => '(objectCategory=*)',
  attrs => ['tokenGroups'] );
    if ($results->count) {
    return $results->entry(0)->get_value('tokenGroups');
    }
}
# Get DN by sAMAccountName, # Usage: <DN> = GetDNByID(<LDAP ref>, <ID>)
sub GetDNByID($$) {
  my ($ldap, $ID) = @_;
  my $results = $ldap->search( base => GetRootDN($ldap), filter => "(sAMAccountName=$ID)",
  attrs => ['distinguishedName'] );
    if ($results->count) {
    return $results->entry(0)->get_value('distinguishedName');
    }
}
# Get Root DN of logged in domain (e.g. DC=yourdomain,DC=com), Usage: <DN> = GetRootDN(<LDAP ref>)
sub GetRootDN($) {
  my ($ldap) = @_;
  ($ldap->root_dse->get_value('namingContexts'))[0];
}


Kind regards
Waldemar Siebert

T-Systems International GmbH
Corporate Customers
Telecommunications Services & Solutions (TSS)
Technical Engineering (TSS TE) - Security & Production Engineering
Dipl.-Ing. Waldemar Siebert
Address: Nauheimer Str. 101, D-70372 Stuttgart
Phone: +49 (711) 555 - 43989
Fax: +49 (6151) 937 - 3129
Mobile: +49 (151) 174 66 111
E-mail: w.siebert at t-systems.com
Internet: http:\\www.t-systems.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110526/8c1efd26/attachment.html

More information about the radiator mailing list